Optimization for access policies in computer systems

The present invention relates generally to computer systems, and more particularly, to performance-based transforming of access policies in computer systems.

Distributed computer systems, such as enterprise-based computer systems, may have many thousands of users, each having access to one or more resources. Resources can include a particular computer, computer system, website, virtual machine, application, container, printer, and/or other resource. There are various types of access that can be granted. Examples include read access, write access, admin access, and others.

Access control policies, in general, are based on the concepts of subjects, objects, operations, and privileges. A subject is an actor (e.g., a user, service, or other entity that needs access to computer resources) that is trying to perform an action on an object. An object is a resource that needs to be protected from unauthorized use (e.g., a computer, a database, a printer, and/or the like). An operation is any action a subject might carry out on an object (e.g., read, write, etc.), and different operations may be relevant on different kinds of objects. A privilege is the permission for a user to perform a certain operation on a specified object.

Attribute Based Access Control (ABAC) is a paradigm used to manage the access of multiple users to multiple resources. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned. In its most basic form, ABAC relies upon the evaluation of attributes of the subject (e.g., a user, service, or other entity that needs access to computer resources), attributes of the object, environment conditions, and a formal relationship or access control rule defining the allowable operations for subject-object attribute and environment condition combinations.

In one embodiment, there is provided a computer-implemented method for access policy data optimization, comprising: obtaining an initiation message; obtaining an original set of access data, wherein the original set of access data comprises a plurality of access policies; computing an access control health metric on the original set of access data, and in response to the access control health metric falling below a predetermined threshold: performing a policy subgroup mapping to identify at least one subgroup; converting each subgroup of the at least one subgroup that exceeds a predetermined size to an access group; and removing each access policy that is referenced in the converted subgroups.

In another embodiment, there is provided an electronic computation device comprising: a processor; a memory coupled to the processor, the memory containing instructions, that when executed by the processor, cause the electronic computation device to: obtain an initiation message; obtain an original set of access data, wherein the original set of access data comprises a plurality of access policies; compute an access control health metric on the original set of access data, and in response to the access control health metric falling below a predetermined threshold: perform a policy subgroup mapping to identify at least one subgroup; convert each subgroup of the at least one subgroup that exceeds a predetermined size to an access group; and remove each access policy that is referenced in the converted subgroups.

In another embodiment, there is provided a computer program product for an electronic computation device comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the electronic computation device to: obtain an initiation message; obtain an original set of access data, wherein the original set of access data comprises a plurality of access policies; compute an access control health metric on the original set of access data, and in response to the access control health metric falling below a predetermined threshold: perform a policy subgroup mapping to identify at least one subgroup; convert each subgroup of the at least one subgroup that exceeds a predetermined size to an access group; and remove each access policy that is referenced in the converted subgroups.

The drawings are not necessarily to scale. The drawings are merely representations, not necessarily intended to portray specific parameters of the invention. The drawings are intended to depict only example embodiments of the invention, and therefore should not be considered as limiting in scope. In the drawings, like numbering may represent like elements. Furthermore, certain elements in some of the Figures may be omitted, or illustrated not-to-scale, for illustrative clarity.

Over the course of time, as people join and leave an organization, and new computer resources are added to an enterprise computer system, the number of access policies can grow astronomically. In many situations, an administrator is reluctant to manually optimize policies for concern of making a mistake that could lead to incorrect access privileges. The result is, over time, there can be many thousands of redundant and/or duplicative access policies. This ‘policy bloat’ has a tangible cost associated with it. Often, systems have finite limits for the number of access policies. Furthermore, a large number of redundant access policies can slow performance, increase login/access times, and consume precious CPU cycles of servers as well as other vital computing resources, such as memory and network bandwidth.

Disclosed embodiments provide systems and methods for analyzing and optimizing access policies. Access policies are analyzed by an access policy optimization system. Where feasible, equivalent access policies amongst multiple users are converted to an access group. In cases where a large number of users have similar access privileges, the number of overall policies can be significantly reduced. An access control health metric is computed on an original set of access data. The access control health metric can be used to assess the current state of the access system. It can provide an indication as to if optimization of the access policies is warranted.

The access data can include access policies and/or access groups. A policy subgroup mapping process is performed to identify subgroups of access policies. Subgroups with a number of entries exceeding a predetermined value are converted to access groups, the users that have those policies are added to the corresponding access groups, and the individual access policies are then deleted. Additionally, duplicative and/or redundant policies are identified and removed. Thus, disclosed embodiments simplify access policy management, and improve computer performance and conserve computer resources by reducing the number of access policies while preserving access rights for all subjects within the system.

Reference throughout this specification to “one embodiment,” “an embodiment,” “some embodiments”, or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment,” “in an embodiment,” “in some embodiments”, and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.

Moreover, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit and scope and purpose of the invention. Thus, it is intended that the present invention cover the modifications and variations of this invention provided they come within the scope of the appended claims and their equivalents. Reference will now be made in detail to the preferred embodiments of the invention.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of this disclosure. As used herein, the singular forms “a”, “an”, and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. Furthermore, the use of the terms “a”, “an”, etc., do not denote a limitation of quantity, but rather denote the presence of at least one of the referenced items. The term “set” is intended to mean a quantity of at least one. It will be further understood that the terms “comprises” and/or “comprising”, or “includes” and/or “including”, or “has” and/or “having”, when used in this specification, specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, regions, or elements.

is an environmentfor embodiments of the present invention. Access Policy Optimization System (APOS)comprises a processor, a memorycoupled to the processor, and storage. Systemis an electronic computation device. The memorycontains program instructions, that when executed by the processor, perform processes, techniques, and implementations of disclosed embodiments. Memorymay include dynamic random-access memory (DRAM), static random-access memory (SRAM), magnetic storage, and/or a read only memory such as flash, EEPROM, optical storage, or other suitable memory and should not be construed as being a transitory signal per se. In some embodiments, storagemay include one or more magnetic storage devices such as hard disk drives (HDDs). Storagemay additionally include one or more solid state drives (SSDs). The APOSis configured to interact with other elements of environment. APOSis connected to network, which can be the Internet, a wide area network, a local area network, and/or other suitable network.

Environmentmay include one or more client devices, indicated as. Client devicecan include a laptop computer, desktop computer, tablet computer, smartphone, and/or other suitable computing device. Client devicemay be used to configure APOS.

Environmentmay include an authorization system. The authorization system may include one or more computers, virtual machines, and/or containerized applications that store and implement ABAC. Policies for individual users, and access groups may be stored on authorization systemas JSON files, XML files, yaml files, and/or other suitable representations. The authorization systemmay perform access control functions, and/or interface with other access control components such as an LDAP server, Kerberos server, Active Directory server, and/or other suitable components.

Environmentmay include one or more cloud services, indicated generally as. It is to be understood that although this disclosure includes a detailed description on cloud computing, implementation of the teachings recited herein are not limited to a cloud computing environment. Rather, embodiments of the present invention are capable of being implemented in conjunction with any other type of computing environment now known or later developed.

Cloud computing is a model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service. This cloud model may include at least five characteristics, at least three service models, and at least four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the service's provider.

Broad network access: capabilities are available over a network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Measured service: cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

A cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability. At the heart of cloud computing is an infrastructure that includes a network of interconnected nodes.

Environmentmay include one or more application servers, indicated generally as. The application serversmay use one or more of the cloud services. Similar to an individual user, applications also have access that is managed by access policies and/or access groups.

andshow an example of policy reduction using access groups.shows an exampleof redundant policies.shows access policy data records for five users. User 1, indicated as, has policies. User 1 has five policies, indicated as R (read), W (write), C (copy), P (print), and A (admin). These policies are exemplary, and other embodiments may use more, fewer, and/or different policies. User 2, indicated as, has policies. User 2 has three policies, indicated as R (read), W (write), and C (copy). User 3, indicated as, has policies. User 3 has four policies, indicated as R (read), W (write), C (copy), and P (print). User 4, indicated as, has policies. User 4 has two policies, indicated as R (read), and C (copy). User 5, indicated as, has policies. User 5 has three policies, indicated as R (read), W (write), and C (copy). As can be seen in, all users (User 1-User 5) have R (read), W (write), and C (copy) privileges. Embodiments identify this commonality and form a subgroup. The subgroup can include the list of privileges, and the list of users associated with those privileges. The subgroup can be converted to an access group in order to reduce the overall number of access policies in use.

shows an exampleof policy reduction using access groups. As can be seen in, an access group AG1, indicated as, is part of the policy data of. The access group AG1 has a member list, which includes User 1, User 2, User 3, and User 5. The access group AG1 has policies. Access group AG1 has three policies, indicated as R (read), W (write), and C (copy). User 4 is not included in access group, since the corresponding policies indicated atdo not match the policieswith the access group.

Returning again to, it can be seen that amongst the access data for the five users (User 1-User 5), there are a total of 17 policies. In embodiments, the APOS(), performs operations to convert the access policies shown in, to that shown in, without making any functional changes to the access privileges for each user. In this example, the APOS determined that User 1 (), User 2 (), User 3 (), and User 5 (), all had R (read), W (write), and C (copy) policies. The APOS, as part of the access policy optimization process, created the access configuration shown in, in which access group AG1 exists. User 1, indicated as, has an access group list, which includes access group 1. Similarly, user 2, indicated as, has an access group list, which includes access group 1. Similarly, user 3, indicated as, has an access group list, which includes access group 1. Similarly, user 5, indicated as, has an access group list, which includes access group 1. User records can include both access groups, as well as individual access policies. As can be seen in, user 1, indicated as, includes access control list, which includes access group AG1, and policies P (print), and A (admin). Similarly, user 3, indicated as, includes access control information, which includes access group AG1, and policy P (print).

Comparing the number of policies and/or access groups betweenand, it can be seen that while there are 17 policies in, there are a total of nine policies/access groups amongst the access data for the five users. Thus, the number of policies is considerably reduced, while the access privileges of each user have been maintained after the optimization shown in. In other words, each user (User 1-User 5) has the same privileges in the post-optimization scenario of, as was in the pre-optimization scenario of. Thus, disclosed embodiments can optimize policies while leaving access privileges unchanged from their pre-optimization status.

shows another exampleof redundant policies.shows an exampleof policy reduction using redundancy identification.shows access policy data records for three users. User 1, indicated as, has policies. User 1 has three policies, indicated as R (read), W (write), and R/W (read and write). These policies are exemplary, and other embodiments may use more, fewer, and/or different policies. User 2, indicated as, has policies. User 2 has two policies, indicated as R (read), and W (write). User 3, indicated as, has policies. User 3 has four policies, indicated as R (read), W (write), C (copy), and P (print).

In embodiments, as part of the policy optimization process, the APOS() determines that the R/W policy covers the same permissions as the combination of the R (read) policy, and the W (write) policy. In some embodiments, bitmask operations on an attribute word may be used to determine overlapping privileges amongst access policies. The resulting optimized policy information is shown in. In, user 1, indicated as, has policies. User 1 has the R/W (read and write) policy, which covers the permissions granted by the individual R (read) and W (write) policies. Thus, the individual R (read) and W (write) policies have been removed in the optimized policy information shown in. User 2, indicated as, has policies. User 2 has the R/W (read and write) policy, which covers the permissions granted by the individual R (read) and W (write) policies. User 3, indicated as, has policies. User 3 has the R/W (read and write) policy, which covers the permissions granted by the individual R (read) and W (write) policies. For user 3, the C (copy), and P (print) policies remain.

Comparingand, there are 9 policies in, whereas there are only five policies in, while the access permissions for each user are unchanged between the pre and post optimization scenarios. Thus, as can be seen, disclosed embodiments improve the technical field of enterprise-level computing by streamlining access policies, and removing redundant policies, thereby conserving precious computing resources such as CPU cycles, memory, and network bandwidth.

is a flowchartindicating process steps for embodiments of the present invention. Atan initiation message is obtained. The initiation message is used to start the optimization process. Embodiments include a variety of sources for the initiation message. In some embodiments, the initiation message source includes a user-interface event such as a button press, mouse click, or the like. In some embodiments, the initiation message occurs automatically in response to a condition within environment, such as total number of policies, total number of resources, total number of subjects or users, addition of a resource, addition of a subject, removal of a resource, removal of a subject, and/or other conditions. At, original access data is obtained. The original access data refers to the state of the access data prior to optimization. The access data can include access policies, access groups, resources, and subjects (actors).

At, an access control health metric is computed. In some embodiments, the access control health metric is a function of various parameters. In embodiments, the access control health metric M is computed as:()+()+()+()

Where P is a measure of policy headroom, G is a measure of access group headroom, C is the compute power required to perform the analysis of policies, and S is the number of subjects (users and/or services) within the access control system. K, K, Kand Kare constants that can be used to fine-tune the value of M for a particular access control system. In some embodiments, the value of M is normalized to be within a given range (e.g., 0-100).

Compute power requiredis a measure of the computer resources such as processor cycles, memory, network bandwidth, disk usage, and/or other resources needed to perform introspection and/or analysis of polices. In embodiments, the access control health metric is computed as a function of required computation power.

As an example, if an enterprise account has a significant number of individual access polices, but a small number of groups, then it may require a large amount of compute power to iterate through the list of policies in order to determine whether to grant a request or not.

Disclosed embodiments can perform an optimization to convert some of those individual access polices to groups such as depicted in, then the compute resources are conserved since the APOSonly has to iterate through a small number of groups to determine whether to grant or not. This can save compute power, and in cases where compute power is a billable item, it can also save money for organizations.

Policy headroomis a measure of the number of new policies the access control system can accept. Access group headroomis a measure of the number of new access groups the access control system can accept. Access control systems may have upper limits for the number of access policies and access groups. When an access control system approaches the upper limits, it can result in a lower access control health metric. The lower access control health metric can be used to automatically initiate a policy optimization process, or indicate to an administrator that policy optimization is warranted. In embodiments, the access control health metric is computed as a function of policy headroom. In embodiments, the access control health metric is computed as a function of access group headroom.